Microsoft Word 0day used to push dangerous Dridex malware on millions

no one has ruled out that exploits might also be possible against Mac versions.

Everything might be possible. How about some information wether this exploit works on macOS or not.

Edit: I just learned that the payload is an .exe file so I assume this exploit doesn't work on Word for Macs.

The specific exploit, obviously won't work on Macs. But so far there's no indication that the Mac Versions of Word suffer from the same vulnerability that could be exploited by Mac-specific attack code.

I'm not sure exactly how you expect me to get definitive information about whether Mac versions are vulnerable or not. Did you see the part of the story about Microsoft maintaining radio silence even though it's known of this vulnerability since January? My job is to report all available information, which is what this story does. If information simply isn't available would you prefer we not report anything at all?

In any event, I included the sentence about the Word for Mac possibly being vulnerable because these attacks are nasty and until we can rule Mac versions being vulnerable, users are better off assuming they are susceptible and being extra careful.

As Ars reported on Saturday, the vulnerability is notable because it bypasses exploit mitigations built into Windows, doesn't require targets to enable macros, and works even against Windows 10, which is widely considered Microsoft's most secure operating system ever.

but keeps dempathizing this:

The attacks observed by McAfee are unable to work when a booby-trapped document is viewed in an Office feature known as Protected View.

As pointed out in the article, Protected View must be disabled to print a document. This kind of behavior is common in many offices, as some of your fellow commenters have noted. Consequently, convincing a recipient to open and print a document is a relatively low bar to pass. Please spare us your fake outrage.

As Ars reported on Saturday, the vulnerability is notable because it bypasses exploit mitigations built into Windows, doesn't require targets to enable macros, and works even against Windows 10, which is widely considered Microsoft's most secure operating system ever.

but keeps dempathizing this:

The attacks observed by McAfee are unable to work when a booby-trapped document is viewed in an Office feature known as Protected View.

As pointed out in the article, Protected View must be disabled to print a document. This kind of behavior is common in many offices, as some of your fellow commenters have noted. Consequently, convincing a recipient to open and print a document is a relatively low bar to pass. Please spare us your fake outrage.

I really couldn't make sense of truthyboy's post. What's he trying to say? IF (big "IF") Ars is in fact deemphasizing that the attacks "are unable to work when a booby-trapped document is viewed in an Office feature known as Protected," then fine: 99 percent of the time, Protected mode needs to be turned off so that we can work with the documents.

As Ars reported on Saturday, the vulnerability is notable because it bypasses exploit mitigations built into Windows, doesn't require targets to enable macros, and works even against Windows 10, which is widely considered Microsoft's most secure operating system ever.

but keeps dempathizing this:

The attacks observed by McAfee are unable to work when a booby-trapped document is viewed in an Office feature known as Protected View.

As pointed out in the article, Protected View must be disabled to print a document. This kind of behavior is common in many offices, as some of your fellow commenters have noted. Consequently, convincing a recipient to open and print a document is a relatively low bar to pass. Please spare us your fake outrage.

well dan the problem is with this "the vulnerability is notable because it bypasses exploit mitigations" if that were true then users wouldn't have to disable protected viewing. So the fake outrage comment you made was out of order.

The specific exploit, obviously won't work on Macs. But so far there's no indication that the Mac Versions of Word suffer from the same vulnerability that could be exploited by Mac-specific attack code.

This comment from the previous story about the exploit seems to imply that it doesn't suffer from that vulnerability with pretty good detail as to why. Might be worth pointing out to people who keep asking.

As Ars reported on Saturday, the vulnerability is notable because it bypasses exploit mitigations built into Windows, doesn't require targets to enable macros, and works even against Windows 10, which is widely considered Microsoft's most secure operating system ever.

but keeps dempathizing this:

The attacks observed by McAfee are unable to work when a booby-trapped document is viewed in an Office feature known as Protected View.

As pointed out in the article, Protected View must be disabled to print a document. This kind of behavior is common in many offices, as some of your fellow commenters have noted. Consequently, convincing a recipient to open and print a document is a relatively low bar to pass. Please spare us your fake outrage.

well dan the problem is with this "the vulnerability is notable because it bypasses exploit mitigations" if that were true then users wouldn't have to disable protected viewing. So the fake outrage comment you made was out of order.

The problem is every document you receive in an email will open in protected view, in many offices people constantly email files back and forth for review/printing. You can not print in protected view, thus by default most people click the button without even thinking. The way office handles files is awful to say the least as there is no way to truly preview/print the document without escaping protected view...

As Ars reported on Saturday, the vulnerability is notable because it bypasses exploit mitigations built into Windows, doesn't require targets to enable macros, and works even against Windows 10, which is widely considered Microsoft's most secure operating system ever.

but keeps dempathizing this:

The attacks observed by McAfee are unable to work when a booby-trapped document is viewed in an Office feature known as Protected View.

As pointed out in the article, Protected View must be disabled to print a document. This kind of behavior is common in many offices, as some of your fellow commenters have noted. Consequently, convincing a recipient to open and print a document is a relatively low bar to pass. Please spare us your fake outrage.

well dan the problem is with this "the vulnerability is notable because it bypasses exploit mitigations" if that were true then users wouldn't have to disable protected viewing. So the fake outrage comment you made was out of order.

The quote is actually: "As Ars reported on Saturday, the vulnerability is notable because it bypasses exploit mitigations built into Windows" That means things like DEP and ASLR. Protected View is not a mitigation built into Windows. I'm not sure if your choice to pare down the quote was in the interest of brevity or a disingenuous attempt to win an argument.

As Ars reported on Saturday, the vulnerability is notable because it bypasses exploit mitigations built into Windows, doesn't require targets to enable macros, and works even against Windows 10, which is widely considered Microsoft's most secure operating system ever.

but keeps dempathizing this:

The attacks observed by McAfee are unable to work when a booby-trapped document is viewed in an Office feature known as Protected View.

As pointed out in the article, Protected View must be disabled to print a document. This kind of behavior is common in many offices, as some of your fellow commenters have noted. Consequently, convincing a recipient to open and print a document is a relatively low bar to pass. Please spare us your fake outrage.

well dan the problem is with this "the vulnerability is notable because it bypasses exploit mitigations" if that were true then users wouldn't have to disable protected viewing. So the fake outrage comment you made was out of order.

The problem is every document you receive in an email will open in protected view, in many offices people constantly email files back and forth for review/printing. You can not print in protected view, thus by default most people click the button without even thinking. The way office handles files is awful to say the least as there is no way to truly preview/print the document without escaping protected view...

i'm only pointing out that these two articles keep saying the user doesn't have to do anything to get infected but that's not true because files from the internet open in protected view automatically and it has to be disabled by the end user to become infected.

DKIM digitally signs messages sent by your internal email servers so that systems on your network, as well as remote systems receiving mail from you, can know that the message originated from your email server. It lets services automatically reject mail that uses your domain name without your permission.

SPF whitelists which servers are allowed to send mail for your domain name -- and so it prevents someone from just spinning up any old zombie, and using it to deliver mail on your behalf.

And then DMARC generates automatic reports when Microsoft, Google or Yahoo see a DKIM or SPF violation. They automatically tell you someone's trying to do it, and which accounts they're targeting.

It's not perfect, it's not going to completely reduce the surface area. But they won't be able to just slap scanner in front of your domain name and deliver a message successfully.

As Ars reported on Saturday, the vulnerability is notable because it bypasses exploit mitigations built into Windows, doesn't require targets to enable macros, and works even against Windows 10, which is widely considered Microsoft's most secure operating system ever.

but keeps dempathizing this:

The attacks observed by McAfee are unable to work when a booby-trapped document is viewed in an Office feature known as Protected View.

As pointed out in the article, Protected View must be disabled to print a document. This kind of behavior is common in many offices, as some of your fellow commenters have noted. Consequently, convincing a recipient to open and print a document is a relatively low bar to pass. Please spare us your fake outrage.

well dan the problem is with this "the vulnerability is notable because it bypasses exploit mitigations" if that were true then users wouldn't have to disable protected viewing. So the fake outrage comment you made was out of order.

The problem is every document you receive in an email will open in protected view, in many offices people constantly email files back and forth for review/printing. You can not print in protected view, thus by default most people click the button without even thinking. The way office handles files is awful to say the least as there is no way to truly preview/print the document without escaping protected view...

i'm only pointing out that these two articles keep saying the user doesn't have to do anything to get infected but that's not true because files from the internet open in protected view automatically and it has to be disabled by the end user to become infected.

The articles do *not* say the user doesn't have to do anything to get infected. Stop misrepresenting what's being reported.

The specific exploit, obviously won't work on Macs. But so far there's no indication that the Mac Versions of Word suffer from the same vulnerability that could be exploited by Mac-specific attack code.

This comment from the previous story about the exploit seems to imply that it doesn't suffer from that vulnerability with pretty good detail as to why. Might be worth pointing out to people who keep asking.

Thank you--I was just looking for that comment to share.

(Though, in fairness, it's an unverified comment from an unconfirmed source. I don't have any reason to believe it's not correct or that the poster isn't who they say they are, but if you want to be skeptical about it, it's not the same as "proof".)

The specific exploit, obviously won't work on Macs. But so far there's no indication that the Mac Versions of Word suffer from the same vulnerability that could be exploited by Mac-specific attack code.

This comment from the previous story about the exploit seems to imply that it doesn't suffer from that vulnerability with pretty good detail as to why. Might be worth pointing out to people who keep asking.

Thanks for pointing that out. I'm guessing the person is who s/he claims to be. It's probably genuine, but until Microsoft puts out an official statement, I think Mac users are better off paying attention to these exploits.

As Ars reported on Saturday, the vulnerability is notable because it bypasses exploit mitigations built into Windows, doesn't require targets to enable macros, and works even against Windows 10, which is widely considered Microsoft's most secure operating system ever.

but keeps dempathizing this:

The attacks observed by McAfee are unable to work when a booby-trapped document is viewed in an Office feature known as Protected View.

As pointed out in the article, Protected View must be disabled to print a document. This kind of behavior is common in many offices, as some of your fellow commenters have noted. Consequently, convincing a recipient to open and print a document is a relatively low bar to pass. Please spare us your fake outrage.

well dan the problem is with this "the vulnerability is notable because it bypasses exploit mitigations" if that were true then users wouldn't have to disable protected viewing. So the fake outrage comment you made was out of order.

The problem is every document you receive in an email will open in protected view, in many offices people constantly email files back and forth for review/printing. You can not print in protected view, thus by default most people click the button without even thinking. The way office handles files is awful to say the least as there is no way to truly preview/print the document without escaping protected view...

I would love an explanation for why printing fell on the restricted side of Protected View. What does printing do (or enable) that it can't be enabled in Protected View? Is this specific to the details of how MSOffice (or MSWindows?) implements printing, or does any application that allows printing enable similar exploits? Could an application be created that enabled printing without also opening a giant security hole?

>You have 1(one) unread fax.>Sender: 509-472-4016 Date: April 11, 2017>Please click the link below, to view your fax on our website:>https://myaccount.xxxx.com/faxes/view.aspx?action=view&faxid =6648605>Please remember that, in order to view the fax online, Microsoft Word must be installed on your system.>Thank you for choosing us

I would love an explanation for why printing fell on the restricted side of Protected View. What does printing do (or enable) that it can't be enabled in Protected View? Is this specific to the details of how MSOffice (or MSWindows?) implements printing, or does any application that allows printing enable similar exploits? Could an application be created that enabled printing without also opening a giant security hole?

I suspect it's simply because Protected View strips out a lot of formatting, which someone wanting to print the document is likely to want to have preserved.

Thanks for pointing that out. I'm guessing the person is who s/he claims to be. It's probably genuine, but until Microsoft puts out an official statement, I think Mac users are better off paying attention to these exploits.

Fair enough with respect to identity verification. The explanation does make technical sense regardless of the source though, so I thought it worth pointing out.

Thanks for pointing that out. I'm guessing the person is who s/he claims to be. It's probably genuine, but until Microsoft puts out an official statement, I think Mac users are better off paying attention to these exploits.

Fair enough with respect to identity verification. The explanation does make technical sense regardless of the source though, so I thought it worth pointing out.

What versions of Office have the File Block settings? I have Office 2007, and don't see options anywhere like have been listed, for either the Registry or in Word.

For Office 2007, you'll need admin rights and the Administrative templates in Group Policy Editor.

For Office 2003, you'll need both of the above, and install KB 934181 as well.

"Opening a file is blocked by your registry policy setting or File Block settings in Word"support.microsoft.com/en-us/help/922849/opening-a-file-is-blocked-by-your-registry-policy-setting-or-file-block-settings-in-word(article discusses disabling them...Do the reverse. The Dword values you need are toward the bottom of the document, click the down-arrow)

Things like this make working in an office for a company that depends on email attachments to get things done an exciting proposition.

And it's made even better by the fact that when the company conducts "training" with (incredibly obvious, to me) phishing exercises, a double-digit percentage of people in my department open the attachments!

I have all the phishing training emails at work filtered off into a "Phishing Training" folder based on an obvious identifier in the header. Does this mean I passed the training?

I've been enforcing strict SRP and/or Applocker policies for like 12 years now. It blocks these types of attacks for the most part. Its not an impenetrable barrier, but stops 99% of the drive by stuff.

As Ars reported on Saturday, the vulnerability is notable because it bypasses exploit mitigations built into Windows, doesn't require targets to enable macros, and works even against Windows 10, which is widely considered Microsoft's most secure operating system ever.

This still requires user intervention to execute, so how about STFU on the melodramatics.

Do people still click the yellow bar to "enable editing"? Sure, but at some point people at the wheel must hold responsibility. I mean, damn, a man was decapitated and died because agnosticly blind autopilot system continued at speed and course and Ars still loves Tesla, and Ars seems to blame the user (incorrectly -- an autopilot must discontinue operation when "blind" by definition. I mean, I would slow down if I were "blinded by the light").

The exploit in fact by definition does not "bypass exploit mitigations". A yellow bar to "enable..." content is by definition a mitigation, so how about no more demonstrably FALSE statements in security articles. So, as usual Dan LIED to clock up clicks in a security post.

Is the vuln nasty: Yes.Is the manner of reporting accurate: Hell no.Will it spread in rate like a true "bypasses exploit mitigations" virus / worm (e.g. Melissa): Nope -- Users don't even click "yes" / "enable" for their boss' emails at that rate.Will it spread widely: Yes, because people are idiots -- its the basis of many of Dan's articles success (maybe he should be an insurance salesman -- the tone certainly has the right fearmongering sleaze)

Must we have a "if people would just never use features ever; this wouldn't happen!" post for every malware report?

Meh, only affects those n00bs who might want to 'edit' a document. Fake news!

I think IT people sometimes don't appreciate the vigilance expected of users who are much less technically savvy.

This particular exploit sends a document that is named in a similar way to the documents our scanner sends. It appears to be coming from the same domain. If a user comes back to their desk after scanning a document and sees an email with a file named scan... attached it's almost inevitable they'll open it. This situation is plausible in a large office. Users I work with aren't stupid but they aren't IT experts. You can't be good at everything. Even IT professionals are vulnerable. If you come home after an exhausting day of work and let you guard down even once you're fucked. Asking for that kind of sustained vigilance from everyday users is unrealistic.

Looks like those dumb old fogies in my doctor's office who use faxes to send text data back and forth may not be so dumb after all.

At least until you add a fax server to the system(which anyone slinging faxes in nontrivial volume tends to). Then you get the atrocious quality and complete lack of encryption over the phone line; and monstrously complex and potentially vulnerable software on the server and/or client!

As Ars reported on Saturday, the vulnerability is notable because it bypasses exploit mitigations built into Windows, doesn't require targets to enable macros, and works even against Windows 10, which is widely considered Microsoft's most secure operating system ever.

This still requires user intervention to execute, so how about STFU on the melodramatics.

Do people still click the yellow bar to "enable editing"? Sure, but at some point people at the wheel must hold responsibility. I mean, damn, a man was decapitated and died because agnosticly blind autopilot system continued at speed and course and Ars still loves Tesla, and Ars seems to blame the user (incorrectly -- an autopilot must discontinue operation when "blind" by definition. I mean, I would slow down if I were "blinded by the light").

The exploit in fact by definition does not "bypass exploit mitigations". A yellow bar to "enable..." content is by definition a mitigation, so how about no more demonstrably FALSE statements in security articles. So, as usual Dan LIED to clock up clicks in a security post.

Is the vuln nasty: Yes.Is the manner of reporting accurate: Hell no.Will it spread in rate like a true "bypasses exploit mitigations" virus / worm (e.g. Melissa): Nope -- Users don't even click "yes" / "enable" for their boss' emails at that rate.Will it spread widely: Yes, because people are idiots -- its the basis of many of Dan's articles success (maybe he should be an insurance salesman -- the tone certainly has the right fearmongering sleaze)

It bypasses mitigations, but perhaps not all of them. Also note that it is only from Office 2013 that the "open in read only mode" feature exists. Given how many offices run on older versions of Office, it is still a relevant concern.

Also note that "open in read-only mode" is overzealous at best (it opens files on any network share in that mode because you don't know who might have modified them), which means that I think a lot of more technically savvy users have it turned off. It is after all the first time that that feature does anything useful instead of just being annoying.

In case you missed this: Update, 4/11/2017 9:53 California time: Ryan Hanson, a researcher at security firm Optiv who discovered the Word vulnerability last July and reported it to Microsoft in October, says exploits can bypass Protected View mitigations. He said the registry tweak outlined above prevents such bypasses from working.

I just updated the post to report that exploits can bypass Protected View mitigations.

Does the method I suggested a few posts up protect users appropriately? In recent Word versions you can go to Options > Trust Center > Trust Center Settings > File Block Settings and selecting 'open' and 'save' for RTF, and selecting the radio button "Do not open selected file types".

The specific exploit, obviously won't work on Macs. But so far there's no indication that the Mac Versions of Word suffer from the same vulnerability that could be exploited by Mac-specific attack code.

This comment from the previous story about the exploit seems to imply that it doesn't suffer from that vulnerability with pretty good detail as to why. Might be worth pointing out to people who keep asking.

Thanks for pointing that out. I'm guessing the person is who s/he claims to be. It's probably genuine, but until Microsoft puts out an official statement, I think Mac users are better off paying attention to these exploits.

I am indeed me. Feel free to check out my previous posts in the Mac Ach. I've worked on Mac Office for >20 years. I'm an engineer tho, not a PR spokesperson, and not responsible for any "official" statement.

I am indeed me. Feel free to check out my previous posts in the Mac Ach. I've worked on Mac Office for >20 years. I'm an engineer tho, not a PR spokesperson, and not responsible for any "official" statement.

An email with an attachment that is crafted in anyway remotely related to any person in anyway.......will be opened by someone. Even if you tell them out right not to open it.......someone will open it. The senders of these malware know this.